Table of Contents
Technical Details
Store administrator disables plug-ins
woocommerce/includes/admin/class-wc-admin-status.php
woocommerce/includes/log-handlers/class-wc -log-handler-file.php
Home Operation and Maintenance Safety How to solve the arbitrary file deletion vulnerability in WordPress plugin WooCommerce

How to solve the arbitrary file deletion vulnerability in WordPress plugin WooCommerce

May 13, 2023 pm 06:16 PM
wordpress woocommerce

Technical Details

The permission processing mechanism of WordPress is mainly implemented by providing different functions for different roles. When the store administrator role is defined, it will assign the edit_users function to this role, so that They can directly manage the store's customer account. The entire permission assignment process occurs during the installation process of the plug-in. woocommerce/includes/class-wc-install.php:

//Shop manager role.add_role(       'shop_manager',      // Internal name of the new role       'Shop manager',      // The label for displaying       array(               // Capabilities                ⋮              'read_private_posts'     => true,              'edit_users'             => true,              'edit_posts'             => true,                ⋮       ));
Copy after login

The role permission information will be stored in the database as WordPress core settings, which means that the user role is now independent of the plugin, even if the plugin is not enabled , and will not affect related role permissions.

When an authenticated user attempts to modify other user information, the current_user_can() function is called, and then ensures that only privileged users can perform this operation. Current_user_can() function call example:

$target_user_id= $_GET['target_user_id'];if(current_user_can('edit_user',$target_user_id)) {    edit_user($target_user_id);}
Copy after login

The verification logic of the call is as follows: This user wants to use the ID $target_user_id to modify a specific user. Does he have the permission to execute?

Under the default configuration, the edit_users function allows users with permissions (such as store administrators) to edit other users, even administrator users, and then perform operations such as password updates. For security reasons, WooCommerce needs to specify whether store administrators can edit users, so the plug-in needs to add meta permissions. Meta functions can be called by current_user_can(). The value returned by the function under the default behavior is true, but the value returned by the meta permission function can determine whether the current user can perform such an operation. The following is the abstract function code of the WooCommerce meta permission filter:

function disallow_editing_of_admins( $capability, $target_user_id ) {       // If the user is an admin return false anddisallow the action    if($capability == "edit_user"&& user_is_admin($target_user_id)) {        return false;    } else {        return true;    }}add_filter('map_meta_cap', 'disallow_editing_of_admins');
Copy after login

For example, when current_user_can('edit_user', 1) is called, the filter will determine that the ID is 1 ($target_user_id) Whether the user is an administrator, and based on the results, determine whether to allow the user to operate.

Store administrator disables plug-ins

By default, only administrators can disable plug-ins. However, this vulnerability allows store administrators to delete any writable file on the server, so we can prevent WordPress from loading the plug-in by deleting WooCommerce’s main file-woocommerce.php.

This file deletion vulnerability exists in the logging function of WooCommerce. The logs will be stored in the wp-content directory in the form of .log files. When the store administrator wants to delete a log file, he needs to submit the file name as a GET parameter. The code snippet shown below is the vulnerable part:

woocommerce/includes/admin/class-wc-admin-status.php

class WC_Admin_Status{    public static function remove_log()    {    ⋮        $log_handler = newWC_Log_Handler_File();       $log_handler->remove(wp_unslash($_REQUEST['handle']));}
Copy after login

woocommerce/includes/log-handlers/class-wc -log-handler-file.php

class WC_Log_Handler_File extends WC_Log_Handler{    public function remove($handle)    {    ⋮        $file = trailingslashit(WC_LOG_DIR) .$handle;    ⋮unlink($file);
Copy after login

The problem here is that the file name ($handle) will be added to the log directory (wp-content/wc-logs/) and then passed to unlink( )function. When setting "$handle../../plugins/woocommerce-3.4.5/woocommerce.php", file wp-content/wc-logs/../../plugins/woocommerce-3.4.5/woocommerce. php will be removed, causing WooCommerce to be disabled.

The above is the detailed content of How to solve the arbitrary file deletion vulnerability in WordPress plugin WooCommerce. For more information, please follow other related articles on the PHP Chinese website!

Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

Video Face Swap

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Tools

Notepad++7.3.1

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

How to close comments with wordpress How to close comments with wordpress Apr 20, 2025 am 11:54 AM

How to turn off a comment in WordPress? Specific article or page: Uncheck Allow comments under Discussion in the editor. Whole website: Uncheck "Allow comments" in "Settings" -> "Discussion". Using plug-ins: Install plug-ins such as Disable Comments to disable comments. Edit the topic file: Remove the comment form by editing the comments.php file. Custom code: Use the add_filter() function to disable comments.

What to do if there is an error in wordpress What to do if there is an error in wordpress Apr 20, 2025 am 11:57 AM

WordPress Error Resolution Guide: 500 Internal Server Error: Disable the plug-in or check the server error log. 404 Page not found: Check permalink and make sure the page link is correct. White Screen of Death: Increase the server PHP memory limit. Database connection error: Check the database server status and WordPress configuration. Other tips: enable debug mode, check error logs, and seek support. Prevent errors: regularly update WordPress, install only necessary plugins, regularly back up your website, and optimize website performance.

How to copy wordpress code How to copy wordpress code Apr 20, 2025 pm 12:00 PM

How to copy WordPress code? Copy from the admin interface: Log in to the WordPress website, navigate to the destination, select the code and press Ctrl C (Windows)/Command C (Mac) to copy the code. Copy from a file: Connect to the server using SSH or FTP, navigate to the theme or plug-in file, select the code and press Ctrl C (Windows)/Command C (Mac) to copy the code.

How to upload source code for wordpress How to upload source code for wordpress Apr 20, 2025 pm 12:03 PM

You can install the FTP plug-in through WordPress, configure the FTP connection, and then upload the source code using the file manager. The steps include: installing the FTP plug-in, configuring the connection, browsing the upload location, uploading files, and checking that the upload is successful.

How to display wordpress comments How to display wordpress comments Apr 20, 2025 pm 12:06 PM

Enable comments in WordPress website: 1. Log in to the admin panel, go to "Settings" - "Discussions", and check "Allow comments"; 2. Select a location to display comments; 3. Customize comments; 4. Manage comments, approve, reject or delete; 5. Use <?php comments_template(); ?> tags to display comments; 6. Enable nested comments; 7. Adjust comment shape; 8. Use plugins and verification codes to prevent spam comments; 9. Encourage users to use Gravatar avatar; 10. Create comments to refer to

How to write a header of a wordpress How to write a header of a wordpress Apr 20, 2025 pm 12:09 PM

The steps to create a custom header in WordPress are as follows: Edit the theme file "header.php". Add your website name and description. Create a navigation menu. Add a search bar. Save changes and view your custom header.

How to copy sub-sites from wordpress How to copy sub-sites from wordpress Apr 20, 2025 pm 12:12 PM

How to copy WordPress subsites? Steps: Create a sub-site in the main site. Cloning the sub-site in the main site. Import the clone into the target location. Update the domain name (optional). Separate plugins and themes.

WordPress website building and avoid pits WordPress website building and avoid pits Apr 20, 2025 am 08:06 AM

Be cautious when building a WordPress website. The guide to breaking through pits helps you avoid risks: choose paid themes and avoid the quality and safety risks of free themes. "Less is more" when installing plugins to avoid website speed and compatibility issues. Regularly optimize the database to ensure the smooth operation of the website. Pay attention to security measures and regularly update and install security plug-ins. Modify the code carefully to avoid website crashes and do it in a test environment if necessary. Pay attention to performance optimization, improve website speed, and improve user experience.

See all articles